Re: Review of Proposed Implementer’s Draft of OpenID 2.0 to OpenID Connect Migration Specification

Chris Drake christopher at pobox.com
Wed Sep 24 17:14:26 UTC 2014


Hi Nat,

I remember back when the original OpenID was forming, and a bunch of my suggestions got shoved "out of scope"... which are now being brought back in to scope via OpenID Connect.  It's cold comfort, but at least I get to brag "I told you so" after the fact:-)

Scratch the surface of any megahack, and 9 times out of 10 it was caused by phishing.  Personally, I don't see the point wasting effort on OpenID Connect when it's merely going to exacerbate what is already a crippling problem.

There's a bunch of smart and experienced people on this list - they should put their heads together and use the power and knowledge present to fix what is reported at being behind 91% of the worlds security problems, most especially when OpenID users are significantly more vulnerable to these attacks, and at-risk once attacked.  "Get it right" is better than "get it now" IMHO.

Kind Regards,
Chris Drake


Wednesday, September 24, 2014, 9:57:03 PM, you wrote:


The authentication mechanism itself is out of scope. 
You can, as an OP, select whatever the authentication mechanism you may want to use. 
OpenID Connect is concerned about transferring the information around the authentication event to another party. 
It is a federation protocol. 

Nat

2014-09-25 1:17 GMT+09:00 Chris Drake <christopher at pobox.com>:
Hi,

Can anyone tell me if any kind of mutual-authentication or other kind of phishing-protection is present anywhere in the specs?

Kind Regards,
Chris Drake



-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20140924/bca29342/attachment.html>


More information about the specs mailing list